• Forensic Investigation Methodology..4
• Tool Theory..5
• Toolkits Defined..7

• Network Investigations..10

If there is suspician of activity, install a wiretap. Since you are protecting your network, there is legal precedent to use a wiretap. There must be “probable cause.”

Law enforcement, however, must have a supena.

Hackers will start out doing a

whois

lookup which gives information about primary network, mail exchange leading to internet cache, newsgroups, administrators asking questions leading to OS type, firewalls, etc.

packet 1776 has ftp data string. Filter on that.

tcp port == 24 shows putty

• Pre-Conditions for Wiretap..11
• Wiretap Benefits..12

• Hacker Methodology..14
• Network-Based Forensics..15
• Wireshark Primer..16
• Network Attack Hands-On..19

• Incident Response/Fornsic Verification..27
• Evidence Gathering Tools..29
• netcat..30
• Linux Verification..32
• Memdump..35
• Investigative Recon..37

Set up forensics workstation to receive data via netcat

cd /images/unixforensics
nc -l -p 31337 > vmware_memory_dump

Use the programs from the cd. Memdump output should be sent via netcat (nc).

mount /dev/cdrom
cd /mnt/cdrom/Static-Binaries/linux_x86

./memdump | ./nc -vv 192.168.2.1 31337  

Output can be sent via netcat (nc), just set up listener on forensics workstation.

./uptime
./uname -a
./date
./fdisk -l
./mount
./netstat -anp
./lsof -n
./ls -lit

• Timelines..38
  • gather data

on forensics workstation:

cd /images/unixforensics
nc -vv -l -p 31337 > vmware_bodyfile/mac

on hacked machine:

mount /dev/cdrom
cd /mnt/cdrom/Static-Binaries/linux_x86
./mac-robber / | ./nc -vv 192.168.2.2 31337  

• make human readable. Run mactime on the mac-robber file and redirect output to a file.

on forensics workstation:

cd /images/unixforensics
mactime -b vmware_bodyfile.mac > timeline-vmware.txt
less timeline-vmware.txt
  * MACtime Evidence..46
  * Volitile Information..47
  * Creating a Timeline..48
  * Creating your First Timeline..51
  * **mac-robber** Usage..52
  * **mactime**..53
  * Searching the file system [timeline]..57

commands hacker initially used

w
last
add user jack 
changed password to jack -checks password sc
secure copy rootkit
netstat 
top 
ps
creates /usr/sbin/mkxfs
creates /dev/ida/.. /sl2
/dev/ida/.drag-on

commonly trojanized files

these files look odd because the c time is only modified

ifconfig
ps
netstat
top

files with just a time have been accessed or executed.

logclear
linsniffer
.drag-on
..(space)

• Timeline Analysis Exercise..58

The modification times indicate that the innodes themselves werer changed (likely indicating that the files were decompressed). The c time shows that the files themselves were modified, which typically hpapens during installation.

• What can I use to look for rootkits? lsof and netstat..59

lsof and netstat

set up nc listener

./lsof -n | ./nc 192.168.2.2 31337
./netstat -nap | ./nc 192.168.2.2 31337

lsof is a process list of open files on the system listing even deleted files that are still in use.

mkxsf is probably a trojanized ssh

• lsof..60
• pcat (removed from Helix)..61
• Finding Clues Using Inodes..63

inodes are sequential on a newly installed system.

./ls -lit /usr/bin | ./sort | ./less

directories to look at are /usr/bin, /usr/sbin, /sbin

To look at all files:

./ls -litR

if files are modified, they will have sequential inode allocations also. Look for very high or vary low numbers

• Example Inode Listing in /usr/bin..65
• Other Files..66
• Log Files..67
• Forensic Response Step-By-Step..68
• Helix linux-ir.sh..69

• Cryptographic Hashes..71
• md5sum..72

md5sum

• md5deep..75

./md5deep -r / | ./nc 192.168.2.2 31337 -w 3
  * National Software Reference Library..76

• Gathering the Evidence..78
• Bit Image Creation (Overview)..79
• No Standard!..80
• Imagin Conditions..81
• Logical or Physical Backups..82
• Normal Backup Software..83
• dd..84

dd if=INFILE of=OUTFILE

    bs= block size
    count=N
    skip=N
    conv=noerror,sync

• dcfldd..86

ddfcl if=INFILE of=OUTFILE

    hashwindow=0 (entire machine)
    hashlog=drive.md5.txt

• Host Protected Area (HPA)..87
• HPA Detection..88

Host Protected Area

disk_stat /dev/hdb

• HPA Removal..89

removal (temporary)

disk_reset /dev/hdb

• Starting Netcat for Imaging..90
• Imaging the Compromised Machine..91

Before imaging nc these commands

mount
fdisk -l

On Forensics workstation:

cd /images/unixforensics
nc -l -p 31337 > vmware_dev_sda.img
md5sum vmware_dev_sda.img

On hacked machine:

mount /dev/cdrom /mnt/cdrom
cd /mnt/cdrom/Static_Binaries/linux_x86
fdisk -l
mount
./ddfcl if=/dev/sda hashwindow=0 | ./nc 129.168.2.2 31337

• How do I extract logical partitions from the physical image? mmls..92
• mmls Output
• Extracting Partitions..94
• mmls Output from your Image..95
• Extracting Partitions..96

mmls disk1.dd if mmls cannot determine the type, try

mmls -t dos disk1.dd

dd if=disk1.dd bs=512 skip=62 count 1028097 of=part1.dd

the first extened partition is numbered 5 and then not from there on.

do not normally extract extended partitions; they are just boundaries.

the first 512 bytes contains the MBR. At byte 446 is the start of the partition table. Each entry is 16 bytes long. The last 8 bytes are useful. The last four are the length of the partition and the four before that are the offset. Don't forget to add 63 for the partition boundary(?).

• What do I do with the “image”?..97
• mount 98
• Bit Image Review..101
• Disk Imaging: Hands-On..102
• Mount Images for Analysis..103

mount root then mount the other partitions in there.

mount -t ext2 -o ro,loop,noexec vmware_dev_sda6.img /mnt/hack/unixforenseics_mount
mount -t ext2 -o ro,loop,noexec vmware_dev_sda1.img /mnt/hack/unixforenseics_mount/boot